Saturday, May 14, 2011

Buby Script Basics Part 4

√ evt_http_message     
√ evt_scan_issue         
√ doActiveScan         
√ doPassiveScan         
√ excludeFromScope 
√ includeInScope       
√ isInScope
   issueAlert
   makeHttpRequest
   sendToIntruder
   sendToRepeater
   sendToSpider


In Part 3 of this series we covered the two methods with lines drawn through them (above: evt_http_message and evt_scan_issue).


In Part 4, the methods with checks next to them will be described along with code examples.





You can find sample scripts for each of these under the examples directory of the buby-script repo located Here.






includeInScope, excludeFromScope
----------------------------------------------


The code here is nothing more than two arrays. The first array, EXCLUSION_LIST, contains items we'd like to exclude from scope. The second array, INCLUSION_LIST, contains items to include.




This following portion of code contains a PREFIX array (both http and https). We perform an iteration of both and while iterating through this prefix array, we start iterating through a second list (EXCLUSION_LIST) and concatenating the prefix + host + the item in the EXCLUSION_LIST. This step is repeated for the INCLUSION_LIST. The $burp.includeInScope() method is called and we submit the concatenated value (url) to it. 






do_active_scan, do_passive_scan, isInScope


----------------------------------------------------


The def $burp.evt_proxy_message is a familiar one at this point in the series so we won't discuss this in detail. The code @@msg = nil exists solely to instantiate a global object called msg. We will need to keep an object associated with the request message (headers/body) because passive scanning requires both a request message and response message.


pre = is_https? 'https' : 'http' is just a way to define the "pre" object based on whether or not it is http or https message.


pre_bool does the same thing as the pre object but instead of http/https it is a true/false.


uri = "#{pre}://#{rhost}:#{rport}#{url}" is just the url (string concatenation). 



The last three lines of code here basically set the @@msg value. We only want to do this if it is a request. Remember, we need an object to hold the request message so that even if the current message is a response we can call both the request message and response message.








Next bit of code basically says, if this message is in scope AND is a request message, start performing an active scan. Otherwise if it is a message which is in scope but a response message then perform passive scanning. 


$burp.do_active_scan takes 4 objects
-rhost           => host value
-rport           => port value
-pre_bool    => true/false based on whether or not it is https
-message    => String value (or Java bytes), full message (request only of course)


$burp.do_passive_scan takes 5 objects


-rhost           => host value
-rport           => port value
-pre_bool    => true/false based on whether or not it is https


-@@msg    => request message, string value (or Java bytes)
-message    =>  response message, string value (or Java bytes)








Okay, next up is Part 5 of this series where we will cover the rest of the methods listed above.


Happy Hacking,


~cktricky



No comments:

Post a Comment